Internet access is becoming pervasive; wireless access is available anywhere one can use a mobile phone. However, user experience is far from uniform on these networks. The network topology and access type can greatly affect the user experience. Consider the following examples:
First, a user can connect to a corporate 100 Mbps LAN, and access Internet sites. How fast the connection “feels” to the user can be dominated by the corporate uplink to the backbone. For example, if it is a 1000 person company sharing a 384 Kbps DSL link, it will be very slow. However, if they have a 1 Mbps T1 link shared amongst 50 people, it can feel much faster.
Second, a user can setup a 11 Mbps WiFi network in their home and use a 2 Mbps cable modem to connect to the Internet. In this case, the user's experience will be dominated by the 2 Mbps cable modem that is actually shared by all the people on the block.
Finally, a user can use a 40 Kbps GPRS modem to connect to a mobile network, which has a T1 connection to the backbone. In this case, the T1 is shared amongst all of the connected users, but unless the network provider is over-provisioned, this link will be underutilized. Thus, the GPRS link will dominate the user experience.
The common thread in all of these scenarios is that disparate networks connect together to give a user access to the Internet, but the user experience is typically dominated by a single link in that topology.
Before an endpoint gains access to corporate enterprise network infrastructure and resources, it is increasingly becoming necessary to determine that the endpoint has undergone host security checks and audits to verify that it meets corporate information technology policies. Examples of such checks include, without limitation, verifying that the anti-virus software on the endpoint is up to date, that the latest operating system patches have been installed and that no malicious software is executing on the endpoint. Performing these checks minimizes the infection of other connected corporate assets by a compromised endpoint.
Conventional methods of access control typically require receipt and evaluation of authentication credentials from a client prior to granting access. The credentials are typically presented to an access infrastructure or other security gateway, which determines what types of access may be provided to the client. Methods for requesting and receiving these credentials typically generate additional administrative burdens. For example, if a user is entering the credentials into a user interface, the request for the required credentials must be translated into a format understandable the user, for example from the expression in which the policy was added to a request identifying the explicit credentials required for evaluation of the policy. When the credentials are received from the user, in some methods, a policy engine applies a policy to the credentials in making an access control decision. This typically requires transmission from a component receiving the credentials to the component making the access control decision, generating additional delay in situations where the components are remotely located from each other and from the client.
A method minimizing administrative burden in requesting user credentials by transmitting an expression of a policy to a client without modifying the format of the expression would be desirable. A method for evaluating such an expression by the client, minimizing the number of components required to reach an access control decision would also be desirable.